Resources

Recent Posts

Recent Blog Posts

The PhishLabs Blog

Defining and Managing Success for Security Teams

Big or small, global or local, almost every organization uses some form of technology, and therefore has security needs within it. Due to the nature of the work and variables in play, metrics and success are often a subjective matter from organization to organization.

For the little guy, you’d be hard pressed to even have a dedicated IT person to manage your network. In some cases it’s the most tech savvy person in the room and a bit of wishful thinking. For large enterprises such as banks or hospitals, having a full security team and then some is standard.

These teams are tasked with protecting not only their customer information, but also reducing the possibility that employees will get phished, accidentally share private company information in a public forum, and otherwise defending against digital risks. Their list of tasks are seemingly endless, and as threat actors get more savvy they constantly have to tweak their methodology.

According to a report from CSO Online where they interviewed SANS instructor Steve Armstrong, metrics are about communication and are not black and white.

“IR staff shouldn’t fear stats or KPIs. They are simply the measurement of management. Understand how they work and you can communicate directly to executives,” stated Armstrong. “Business uses KPIs to measure performance and response times, so choosing good ones will enable a team to pitch for more resources and better support from the organisation.”

So besides a broad sweeping metric of “let’s keep the company secure” how do these various teams define and manage success? It’s about constant adjustments based on current levels of exposure, which in turn allows the team to mitigate risks more easily.

Marking Off the Compliance Checkbox

If there is one objective security metric, it’s that some organizations have to meet compliance requirements based on the industry in. That in itself creates a bare minimum set of guidelines for an organization, which can then be paired with meeting federal laws on protecting user data. However, marking off a box is hardly an effective metric any longer. In most cases this means having some basic security tools in place, but that won’t stop an employee for falling for a socially engineered attack or an executive accidentally sharing too much information online.

Threats to your enterprise change constantly, and because of this change your organization’s risk exposure needs to be monitored. For high-risk companies, they need to regularly test for exposure to risks. Staying abreast of new threats, monitoring for threats, and running incident response drills should be an ongoing tactic. In doing so, organizations will be better prepared to expand their security resources and team if needed.

Test for risks more than once a year

Acceptable Levels of Risk and Impact

Can your organization withstand the impact of a data breach? How about a ransomware attack locking up a system? This year the city of Atlanta spent $2.6 million to recover from a ransomware attack. That’s a lot of taxpayer dollars. Even with cyber security insurance, any financial loss that directly impacts an organization doesn’t even touch the reputational damage that can occur, reducing customers interest in a brand.

After testing for exposure risks, one particular success metric comes down to the balancing act of risk mitigation. Ultimately an organization that is well trained and has the right tools in place will be too expensive of a target for threat actors. Does this mean they are immune to attacks? Of course not, and that’s why security teams create a metric for acceptable levels of risk rather than a pipedream of being 100 percent secure. Based on the potential risk exposure, a metric can be defined to show if a team was able to achieve that goal, the relevant response time to a threat, and then show trends year-over-year.

There will always be some level of risk exposure

The level of effort it takes to attack an organization reduces risk

Create a metric based on a team achieving or exceeding level of risk exposure

Compliance and Risk Analysis

According to Matt Middleton-Leal, General Manager EMEA for Netwrix Corporation, success should stem from a combination of achieving compliance requirements, findings from a risk analysis, and comparing what is threatening your industry peers.

Quantitative risk analysis formula

There is a well-known quantitative risk analysis formula for estimating return on security investment coined by SANS. It is based on your assessment of the specific risks that a given security investment will address, i.e. how well it mitigates risks and how much money can be saved due to the reduced risk exposure.

Risk profile versus industry peers

Industry-specific research will help you learn what threats your peers in your industry encounter, how they address them, and see baselines to orient yourself. I advise starting with research conducted by Gartner.

Compliance status

If your company is subject to a compliance standard, you should include your compliance status as a factor when evaluating security efforts. You can gather this data by conducting internal audits to check whether your processes align with the standards guidelines, checking your grades on recent audits, and determining what areas you need to work on.

Organizational readiness to address incidents

By conducting attack simulations occasionally, you can track performance of your team during the attack, test the effectiveness of your security program, and compare the results you achieve with the previous games. For example, you can look at how much time the team needed to detect and respond to the attack, who performed better and who needs additional training.

Reducing Levels of Risk

Your users and employees are often the first to get blamed for letting security threats into the network, and that’s because in more cases than not, they are in fact to blame. So who becomes responsible for a breach if that should occur? The security team of course, regardless of the policies, technology, and processes in place. Regardless of the blame game, training users is one of the most effective ways for reducing risk, followed by addressing gaps in security practices that would be identified through your regular risk assessments.

If your organization also has an abuse inbox, or an inbox where user-reported suspicious content goes, those emails also need to be analyzed quickly. Not only can the analysis and confirmation of a targeted attack prevent further impact, these attacks can happen at any time.

Ensure users are educated with security awareness training

Address gaps in security

Educate employees about digital risks beyond your network

Analyze user-reported suspicious content in a timely manner

Investing in Results

Although it’s not a metric, an organization’s policies and procedures is a firm foundation for building success metrics. This includes building out policies that protect the organization even beyond the network, such as organizational use of social media. With policies in place and regular testing, an organization will be better poised to to track metrics that highlight what level of digital risks they could face. Though subjective, the metrics in place should allow your security team to firmly argue for wider organizational support, expanding the team, or bringing in new tools.